Posts

Windows Exploit Development : Exploiting Structured Exception Handling and ROP Chaining

Image
Hi folks this post is a continuation of a series I'm doing covering the fundamentals of windows exploit development. In this post I'm going to inch a little closer to arbitrary code execution by showing you how to chain ROP gadgets and one or two stack pivoting tricks.

So here's how this post is going to go:
We we're gonna look at how Structured Exception handling worksWe're gonna break it and show how it breaksThen we're going to make it execute whatever code we wantFigure out how to fix our stack pointerChain some ROP gadgets What you needWindows Virtual Machine Debugger Tools for windowsEasy MPEG to DVD Burner (copy available on exploit-db)ImmunityDBG(optional) python script memcoder.py https://gist.github.com/k3170makan/7f55d25869f3f812f8c3706089c0a74c Reverse Engineering Structured Exception Handling
Structured Exception handling is a mechanism offered to functions in that allow them to customize their responses to hardware and software exceptions. Hardwar…

Windows Exploit Development (primer II) : Corrupting Structured Exception Handling and Controlling Memory Pointers

Image
I folks this post is part of a series in which I introduce some good fundamentals in windows exploit development - basically documenting as I learn it myself!

In this post we are going to essentially going to find out how our input breaks certain structures in memory, find different ways to crash the program and discuss the fun things these crashes let us do with out input! Lets get going :)
What you need to get going Exactly the same as last time!
Windows Virtual Machine Debugger Tools for windowsEasy MPEG to DVD Burner (copy available on exploit-db)(optional) python script payloadgen.py mentioned later on in the post Corrupting Memory
I assume you've got everything sorted out in terms of debugging the application. If its broken in you can get it running after a breaking by using the "g" command like this:



It should start running unless for some reason it hits another breakpoint. Hit "g" as many times are you need to get the application running smoothly and re…

Windows Exploit Development (primer) : Debugging Threads and Analyzing Memory

Image
Hi folks I thought its about time to start blogging about the little experience I have in low level exploitation and analysis - so here goes. To start off on your windows exploitation journey you need to be able to get to grips with a tool and some tricks to get you look at your target the right way. In this post I cover somethings that may help a ton! 
Debugging ThreadsTo get started you are probably going to need a couple things sorted out first, namely a simple windows VM setup with debug tools (tons of tutorials out there on the internet) and a target to exploit: A Windows VM (Microsoft made them free which is awesome!)Windows Debug ToolsYou should grab a copy of  Easy MPEG to DVD Burner on exploit db.
Before we can start crashing programs and controlling EIPs we need to make sure we have the right view of the target we are exploiting. Windows debugger is actually pretty useful in this regard so open it up, open the target program and attach the debugger to it like so:




Once you've…

[Software Philosophy] The Hegelian Triad of Software Development

Image
One question that was pretty interesting to think about in recent days was to try and explain what could be an expression of Hegel's Triad (the anti-thesis, thesis and synthesis of ideas or more directly the "Abstract - Negative - Concrete") as it pertains to development/engineering of software.


How to Stomach Hegel's Triad 
Hegel was a ground breaking philosopher who thought up ways to explain our own experience of fundamentally experiencing consciousness and these beasts called "conscious structures" - hyper organizations of collective consciousness experience.

He, in other works not only critiqued history with regards to how it paints a picture of our own experience of conscious structures (allows us today to ask questions in a very enlightening way for instance: "is anonymity the same as it was in ancient rome?" "did the mayans have a concept of privacy- is it different ours" etc etc) - but is credited by inventing the very idea of …